Synology NAS servers plagued by Ransomware (updated)

Multiple users of the popular Synology NAS are complaining that their NAS unit was infected with Ransomware, encrypting their data rendering it as inaccessible. A new malware called Synolocker encrypts all files on the NAS server, if users want their data unlocked they will have to pay hundreds of Euros to retrieve their files.

End-users are complaining on the Synology forum that they can not access their data anymore and to unlock / decrypt the data again, they are forced to pay 0,6 Bitcoin (260 EURO) to regain access through a TOR hidden website. To this point it is unclear if in fact the end-users can access the data again after they paid.

Synolocker seems to resemble CryptoLocker a lot, the dreaded ransomware that effected many user. Up-to this moment it is unclear how Synolocker installs itself, it could be through a leak in the user interface, hacked SSH or even FTP. Often it is the result not updating firmware in combination with exposing the NAS units to the world wide web. Rumored right now is that users effected have an old DSM for which heartbleed was not fixed. Others claim that the NAS'es infected all had EZ-Internet service enabled.

For now we would like to advice to take your Synology NAS offline until Synology releases an explanation, typically they are very fast with their fixes. But do not allow your NAS to be publicly reached over your router to the internet. Also make sure you have the latest firmware of your Synology NAS server installed.

Earlier this year Synology NAS systems have been abused to mine bitcoins and dogecoins. it is claimed that the attackers have been able to mine up-to half a million EURO.

Update:

The issue is currently localized to NAS units running non-updated versions of DSM 4.3, but Synology is investigating if the hack works on DSM 5.0 as well.

Synology is urging users to take the following steps - close all ports for external (Internet) access, and unplug your NAS from your local network; and with your NAS plugged into just one machine, update DSM to the latest version; and back-up your data. If your NAS unit is infected, disconnect it from the network, perform a hard-shutdown, and contact Synology. The issue highlights one of the many dangers of a distributed currency, in which the beneficiary of funds is difficult to trace.

Here's an emergency statement from Synology (the company is preparing a press-release):

You may have heard by now that DSM is undergoing a CryptoLocker hack called SynoLocker – as of yesterday (08/03/14). It’s a BitCoin Mining hack that encrypts portions of data, and ransoms the decryption key for .6 BitCoin ($350). So far, it looks like the matter is localized to non-updated versions of DSM 4.3, but we are actively working on, and researching the issue to see if it also effects DSM 5.0 as well.

In the interim, we are asking people to take the following precautions:

A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your routerB. Update DSM to the latest versionC. Backup your data as soon as possibleD. Synology will provide further information as soon as it is available.

If your NAS has been infected:A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base

Update 2:

Synology has been investigating and working with users affected by a recent ransomware called "SynoLocker." Synology has confirmed the ransomware affects Synology NAS servers running older versions of DiskStation Manager, by exploiting a vulnerability that was fixed in December, 2013, at which time Synology released patched software and notified users to update via various channels.

Affected users may encounter the following symptoms:

When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

Abnormally high CPU usage or a running process called "synosync" (which can be checked at Main Menu > Resource Monitor).

DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.

For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support here. However, Synology is unable to decrypt files that have already been encrypted.For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:

DSM 4.3-3827 or later

DSM 4.2-3243 or later

DSM 4.0-2259 or later

DSM 3.x or earlier is not affected

Users can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update.Synology sincerely apologizes for any problems or inconvenience this issue has caused our users. As cybercrime proliferates and increasingly sophisticated malware evolves, Synology continues to devote resources to mitigate threats and is dedicated to providing users with reliable solutions.

Synology Outs their new DS415play 4-Bay NAS - 07/15/2014 03:45 PM
Synology is pleased to announce the DS415play, the four-bay follow-up to 2014's popular two-bay DS214play. As the second Synology NAS to support hardware video transcoding, the DS415play delivers ful...

Synology DiskStation DS414slim Consumer NAS - 05/27/2014 07:40 AM
Synology is pleased to announce the refresh of one of its most eye-catching DiskStations, the DS414slim. The slim is the smallest four-bay NAS to features the award winning DiskStation Manager 5.0 ope...

Synology DS214play NAS for Optimized for Multimedia - 10/22/2013 08:39 AM
Synology America Corp. is excited to announce its first media-centric DiskStation, the DS214play. The play is the first DiskStation to launch with dedicated hardware acceleration, specifically for vid...

#4888000 Posted on: 08/04/2014 02:55 PM
Bastards! Just put a pair of 6TB Reds in mine, luckily I've not put all my data back and still have the data backed up, plus I switched it off this morning so we'll check it when I get home and see if it was infected! Did Synology infect the latest DSM on purpose I wonder

BangTail
Maha Guru

Posts: 2179
Joined: 2006-10-15

#4888006 Posted on: 08/04/2014 03:02 PM
No issues on any of mine - I suspect this has something to do with old DSMs.

BarryB
Maha Guru

Posts: 1056
Joined: 2007-07-11

#4888008 Posted on: 08/04/2014 03:04 PM

no issues on any of mine - i suspect this has something to do with old dsms.

yet!!!

BangTail
Maha Guru

Posts: 2179
Joined: 2006-10-15

#4888019 Posted on: 08/04/2014 03:19 PM
Well, they are all offline now until we get some kind of clarification from Synology as to whether it is a security issue with an older DSM or a more current issue.

BarryB
Maha Guru

Posts: 1056
Joined: 2007-07-11

#4888049 Posted on: 08/04/2014 04:34 PM
I checked mine when not online and all ok, but now powered down! Fcuking scumbags, someone ought to track em' down and film them being shot!!

#4888073 Posted on: 08/04/2014 05:30 PM
this is so misleading its borderline hilarious.

it isnt synology's fault that the user hasn't secured their system / NAS sufficiently.

EDIT: just read up about their E-Z software that opens it up to takeovers... thats BAAAAAAAAAD!

block the ports ladies and gents, plug them holes!

eXXon
Newbie

Posts: 42
Joined: 2014-01-07

#4888202 Posted on: 08/04/2014 09:54 PM
I'm not a miner so not sure about this, but since they ask for the BTC to be sent to an address in the 1st step, why not just trace it?

sykozis
Ancient Guru

Posts: 19652
Joined: 2008-07-14

#4888303 Posted on: 08/05/2014 02:14 AM
this is so misleading its borderline hilarious.

it isnt synology's fault that the user hasn't secured their system / NAS sufficiently.

EDIT: just read up about their E-Z software that opens it up to takeovers... thats BAAAAAAAAAD!

block the ports ladies and gents, plug them holes!

If there is a known security hole in Synology's software or firmware.....it is their fault..... They have a responsibility to patch any and all known security holes.

benq
Member Guru

Posts: 80
Joined: 2014-02-22

#4888351 Posted on: 08/05/2014 07:12 AM

I'm not a miner so not sure about this, but since they ask for the BTC to be sent to an address in the 1st step, why not just trace it?

Im not an expert but I think you can't trace that

Twiddles
Maha Guru

Posts: 1114
Joined: 2013-11-15

#4888355 Posted on: 08/05/2014 07:35 AM
A**wipes, this is even worse than the recent mining "joke". This just a prime example of why the device config is sooo important. We've got a few customers who were also infected, luckily those were just "data storage", inmagine losing your backup and database... I hate working 12 hours +

Not everyone is a Security Expert and knows how to lock down ports, configure firewall rules or generate/import SSL certificates, that's not the knowledge you'd expect your average home user to possess, so to blame the user entirely is a bit unfair. There needs to be more education, Synology has a few tutorials: